WMI script needed - reset password
I am in need of a script that should take a CSV file and convert user names based upon the results found there and reset the passwords of each converted account.
Sample file would read:
ThomasJ,N123456
StacyR,N012345
BobL,N999888
etc...
2003 AD, single DC.
For this question, please help in resetting user passwords.
This is important/critical to me, so I didn't want to limit it to two questions in one post for 500 points.
Thanx!
Sample file would read:
ThomasJ,N123456
StacyR,N012345
BobL,N999888
etc...
2003 AD, single DC.
For this question, please help in resetting user passwords.
This is important/critical to me, so I didn't want to limit it to two questions in one post for 500 points.
Thanx!
ASKER
Okay, so as long as I can pull the CN from my text file, I can do this - but these users are among different OUs - does that matter?
sorry im not sure i just pulled it from the site im not that good with scripting i can just do basics, but i spose it wouldnt matter
ASKER
Okay, using that and this: (found, http://www.microsoft.com/technet/scriptcenter/resources/qanda/oct04/hey1021.mspx)
I may can locate the CN of the user, but I'm not sure on how to pull in the user from the list...
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connec
Set objCommand = CreateObject("ADODB.Comman
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnectio
objCommand.Properties("Pag
objCommand.Properties("Sea
''''if I can pull in each username and set it to a variable here, presumably, all I have to do is loop this section for each account. But if I'm using my csv file, which I'd rather, I'll need to split the string...
objCommand.CommandText = _
"SELECT distinguishedName FROM 'LDAP://dc=fabrikam,dc=com
"WHERE objectCategory='user' " & _
"AND sAMAccountName='kenmyer'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
strDN = objRecordSet.Fields("disti
arrPath = Split(strDN, ",")
intLength = Len(arrPath(1))
intNameLength = intLength - 3
Wscript.Echo Right(arrPath(1), intNameLength)
objRecordSet.MoveNext
Loop
I may can locate the CN of the user, but I'm not sure on how to pull in the user from the list...
Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connec
Set objCommand = CreateObject("ADODB.Comman
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnectio
objCommand.Properties("Pag
objCommand.Properties("Sea
''''if I can pull in each username and set it to a variable here, presumably, all I have to do is loop this section for each account. But if I'm using my csv file, which I'd rather, I'll need to split the string...
objCommand.CommandText = _
"SELECT distinguishedName FROM 'LDAP://dc=fabrikam,dc=com
"WHERE objectCategory='user' " & _
"AND sAMAccountName='kenmyer'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
strDN = objRecordSet.Fields("disti
arrPath = Split(strDN, ",")
intLength = Len(arrPath(1))
intNameLength = intLength - 3
Wscript.Echo Right(arrPath(1), intNameLength)
objRecordSet.MoveNext
Loop
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanx - let me test this.
I probably don't need to populate strPWD - I'll be resetting all passwords to "password"...
I've already got a script that will rename their home shares to the new name, but needed a way to do the accounts to, since we'll be using pass-thru authentication for a little while...
I probably don't need to populate strPWD - I'll be resetting all passwords to "password"...
I've already got a script that will rename their home shares to the new name, but needed a way to do the accounts to, since we'll be using pass-thru authentication for a little while...
This won't help you with renaming the accounts but I wanted to put it out there anyway.
The tool ADModify might come in handy for some of the stuff you are trying to do or may need to do.
download it from here:
Classroom Stuff
http://www.petri.co.il/class.htm
although this article discusses using it for Exchange Administration it can also be used for AD administration
Using ADModify to Change Exchange Specific AD User Attributes in Bulk
http://www.msexchange.org/articles/ADModify-Change-Exchange-Specific-AD-User-Attributes.html
The tool ADModify might come in handy for some of the stuff you are trying to do or may need to do.
download it from here:
Classroom Stuff
http://www.petri.co.il/class.htm
although this article discusses using it for Exchange Administration it can also be used for AD administration
Using ADModify to Change Exchange Specific AD User Attributes in Bulk
http://www.msexchange.org/articles/ADModify-Change-Exchange-Specific-AD-User-Attributes.html
SirBounty...
This works for me. I created 6 new users in 2 new OU's and manipulated their passwords 3 times. I interspersed each pass with actually logging into their accounts with the new password and everything seemed to work as expected. You may want to consider adding some error trapping and/or logging to it. If you'd like assistance with that I'd be more than happy to oblige.
'*************************
' SetPassword.vbs
'
' The SetPassword method operates differently on Windows 2000 than it does on XP...
' Prior to Windows XP, ADSI called NetUserSetInfo in the security context in which
' the thread was running, and not in the security context specified in the call to
' OpenDSObject. As a result, the SetPassword method can fail on Windows 2000 if
' the script is run in a user context that does not have sufficient rights.
'
' To avoid this issue, run this script from Windows XP (or higher) or use the RUNAS
' command to provide alternate credentials.
'
' NOTE: After this script finishes it may be a few minutes before the new
' passwords take effect.
'
' Lynn C. Ransdell, 03/03/2005
'
'*************************
' This script reads a CSV file containing the "username" and new password. The
' username is the "login name" or SAM account name. We use this to find the
' "distinguished name" from Active Directory in order to be able to reset the password.
'
' Sample file would read:
'
' ThomasJ,N123456
' StacyR,N012345
' BobL,N999888
' etc...
'
' 2003 AD, single DC.
'*************************
Const ADS_SCOPE_SUBTREE = 2
Const ADS_SECURE_AUTHENTICATION = 1
AdminUser = "Administrator" ' Be sure to change
AdminPswd = "admin" ' change these
InputFile = "e:\ee\Users.txt" ' 4 variables to
Domain = "fabrikam.com" ' match your environment
' if your domain name is more than 2 nodes, or you just want the code to be "dynamic",
' you can use "split" to create an array of nodes and adjust the logic below to loop
' thru the array to build the correct SELECT statement string.
'
part1 = Left(Domain,Instr(Domain,"
part2 = Mid(Domain,Instr(Domain,".
Set FSO = CreateObject("Scripting.Fi
Set oFile = FSO.OpenTextFile(InputFile
Set objConnection = CreateObject("ADODB.Connec
Set objCommand = CreateObject("ADODB.Comman
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnectio
objCommand.Properties("Pag
objCommand.Properties("Sea
Set openDS = GetObject("LDAP:")
Do Until oFile.AtEndOfLine
LineIn = oFile.ReadLine
Field = Split(LineIn, ",")
If Ubound(Field) > 0 Then
Field(0) = trim(Field(0))
Field(1) = trim(Field(1))
objCommand.CommandText = _
"SELECT distinguishedName FROM 'LDAP://dc=" & part1 & ",dc=" & part2 & "' " & _
"WHERE objectCategory = 'user' " & _
"AND SAMAccountName = '" & Field(0) & "'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
DN = objRecordSet.Fields("disti
''' Wscript.Echo "SAMacct= " & Field(0) & " DN= " & DN
'get the user acct info based on the distinguished name
'and set the new password to what was read from the input file.
Set usr = openDS.OpenDSObject("LDAP:
usr.SetPassword Field(1)
''' Wscript.Echo "Password set to: " & Field(1)
objRecordSet.MoveNext
Loop
End If
Loop
oFile.Close
Set usr = Nothing
Set objCommand.ActiveConnectio
Set objCommand = Nothing
Set objConnection = Nothing
Set openDS = Nothing
Set oFile = Nothing
Set FSO = Nothing
-- Lynn
This works for me. I created 6 new users in 2 new OU's and manipulated their passwords 3 times. I interspersed each pass with actually logging into their accounts with the new password and everything seemed to work as expected. You may want to consider adding some error trapping and/or logging to it. If you'd like assistance with that I'd be more than happy to oblige.
'*************************
' SetPassword.vbs
'
' The SetPassword method operates differently on Windows 2000 than it does on XP...
' Prior to Windows XP, ADSI called NetUserSetInfo in the security context in which
' the thread was running, and not in the security context specified in the call to
' OpenDSObject. As a result, the SetPassword method can fail on Windows 2000 if
' the script is run in a user context that does not have sufficient rights.
'
' To avoid this issue, run this script from Windows XP (or higher) or use the RUNAS
' command to provide alternate credentials.
'
' NOTE: After this script finishes it may be a few minutes before the new
' passwords take effect.
'
' Lynn C. Ransdell, 03/03/2005
'
'*************************
' This script reads a CSV file containing the "username" and new password. The
' username is the "login name" or SAM account name. We use this to find the
' "distinguished name" from Active Directory in order to be able to reset the password.
'
' Sample file would read:
'
' ThomasJ,N123456
' StacyR,N012345
' BobL,N999888
' etc...
'
' 2003 AD, single DC.
'*************************
Const ADS_SCOPE_SUBTREE = 2
Const ADS_SECURE_AUTHENTICATION = 1
AdminUser = "Administrator" ' Be sure to change
AdminPswd = "admin" ' change these
InputFile = "e:\ee\Users.txt" ' 4 variables to
Domain = "fabrikam.com" ' match your environment
' if your domain name is more than 2 nodes, or you just want the code to be "dynamic",
' you can use "split" to create an array of nodes and adjust the logic below to loop
' thru the array to build the correct SELECT statement string.
'
part1 = Left(Domain,Instr(Domain,"
part2 = Mid(Domain,Instr(Domain,".
Set FSO = CreateObject("Scripting.Fi
Set oFile = FSO.OpenTextFile(InputFile
Set objConnection = CreateObject("ADODB.Connec
Set objCommand = CreateObject("ADODB.Comman
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnectio
objCommand.Properties("Pag
objCommand.Properties("Sea
Set openDS = GetObject("LDAP:")
Do Until oFile.AtEndOfLine
LineIn = oFile.ReadLine
Field = Split(LineIn, ",")
If Ubound(Field) > 0 Then
Field(0) = trim(Field(0))
Field(1) = trim(Field(1))
objCommand.CommandText = _
"SELECT distinguishedName FROM 'LDAP://dc=" & part1 & ",dc=" & part2 & "' " & _
"WHERE objectCategory = 'user' " & _
"AND SAMAccountName = '" & Field(0) & "'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
DN = objRecordSet.Fields("disti
''' Wscript.Echo "SAMacct= " & Field(0) & " DN= " & DN
'get the user acct info based on the distinguished name
'and set the new password to what was read from the input file.
Set usr = openDS.OpenDSObject("LDAP:
usr.SetPassword Field(1)
''' Wscript.Echo "Password set to: " & Field(1)
objRecordSet.MoveNext
Loop
End If
Loop
oFile.Close
Set usr = Nothing
Set objCommand.ActiveConnectio
Set objCommand = Nothing
Set objConnection = Nothing
Set openDS = Nothing
Set oFile = Nothing
Set FSO = Nothing
-- Lynn
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanx again all.
I won't be able to fully test this until Tuesday - but will post a new question if I need further help.
I won't be able to fully test this until Tuesday - but will post a new question if I need further help.
I am using the script below. It worked great when a a person that has an account that iis a member of Domain Admins ran it. However, My account is a part of the Account Operators group. I pretty much have all other permission besides being a Domain Admin. When I run the script it errors out when trying to set the password. I believe it works out as Line 84.unt ran the script. The exact command that the script fails on is
usr.SetPassword Field(1)
The error is Permission Denied. We can see it failing on the DC, but it doesn't make any sense why. I can go into AD and reset a password, however I can't in the script. I guess the question is, do you HAVE to have an account that is a member of Domain Admis to run the account.
Thanks.
'*************************
' SetPassword.vbs
'
' The SetPassword method operates differently on Windows 2000 than it does on XP...
' Prior to Windows XP, ADSI called NetUserSetInfo in the security context in which
' the thread was running, and not in the security context specified in the call to
' OpenDSObject. As a result, the SetPassword method can fail on Windows 2000 if
' the script is run in a user context that does not have sufficient rights.
'
' To avoid this issue, run this script from Windows XP (or higher) or use the RUNAS
' command to provide alternate credentials.
'
' NOTE: After this script finishes it may be a few minutes before the new
' passwords take effect.
'
' Lynn C. Ransdell, 03/03/2005
'
'*************************
' This script reads a CSV file containing the "username" and new password. The
' username is the "login name" or SAM account name. We use this to find the
' "distinguished name" from Active Directory in order to be able to reset the password.
'
' Sample file would read:
'
' ThomasJ,N123456
' StacyR,N012345
' BobL,N999888
' etc...
'
' 2003 AD, single DC.
'*************************
Const ADS_SCOPE_SUBTREE = 2
Const ADS_SECURE_AUTHENTICATION = 1
AdminUser = "Administrator" ' Be sure to change
AdminPswd = "admin" ' change these
InputFile = "e:\ee\Users.txt" ' 4 variables to
Domain = "fabrikam.com" ' match your environment
' if your domain name is more than 2 nodes, or you just want the code to be "dynamic",
' you can use "split" to create an array of nodes and adjust the logic below to loop
' thru the array to build the correct SELECT statement string.
'
part1 = Left(Domain,Instr(Domain,"
part2 = Mid(Domain,Instr(Domain,".
Set FSO = CreateObject("Scripting.Fi
Set oFile = FSO.OpenTextFile(InputFile
Set objConnection = CreateObject("ADODB.Connec
Set objCommand = CreateObject("ADODB.Comman
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnectio
objCommand.Properties("Pag
objCommand.Properties("Sea
Set openDS = GetObject("LDAP:")
Do Until oFile.AtEndOfLine
LineIn = oFile.ReadLine
Field = Split(LineIn, ",")
If Ubound(Field) > 0 Then
Field(0) = trim(Field(0))
Field(1) = trim(Field(1))
objCommand.CommandText = _
"SELECT distinguishedName FROM 'LDAP://dc=" & part1 & ",dc=" & part2 & "' " & _
"WHERE objectCategory = 'user' " & _
"AND SAMAccountName = '" & Field(0) & "'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
DN = objRecordSet.Fields("disti
''' Wscript.Echo "SAMacct= " & Field(0) & " DN= " & DN
'get the user acct info based on the distinguished name
'and set the new password to what was read from the input file.
Set usr = openDS.OpenDSObject("LDAP:
usr.SetPassword Field(1)
''' Wscript.Echo "Password set to: " & Field(1)
objRecordSet.MoveNext
Loop
End If
Loop
oFile.Close
Set usr = Nothing
Set objCommand.ActiveConnectio
Set objCommand = Nothing
Set objConnection = Nothing
Set openDS = Nothing
Set oFile = Nothing
Set FSO = Nothing
usr.SetPassword Field(1)
The error is Permission Denied. We can see it failing on the DC, but it doesn't make any sense why. I can go into AD and reset a password, however I can't in the script. I guess the question is, do you HAVE to have an account that is a member of Domain Admis to run the account.
Thanks.
'*************************
' SetPassword.vbs
'
' The SetPassword method operates differently on Windows 2000 than it does on XP...
' Prior to Windows XP, ADSI called NetUserSetInfo in the security context in which
' the thread was running, and not in the security context specified in the call to
' OpenDSObject. As a result, the SetPassword method can fail on Windows 2000 if
' the script is run in a user context that does not have sufficient rights.
'
' To avoid this issue, run this script from Windows XP (or higher) or use the RUNAS
' command to provide alternate credentials.
'
' NOTE: After this script finishes it may be a few minutes before the new
' passwords take effect.
'
' Lynn C. Ransdell, 03/03/2005
'
'*************************
' This script reads a CSV file containing the "username" and new password. The
' username is the "login name" or SAM account name. We use this to find the
' "distinguished name" from Active Directory in order to be able to reset the password.
'
' Sample file would read:
'
' ThomasJ,N123456
' StacyR,N012345
' BobL,N999888
' etc...
'
' 2003 AD, single DC.
'*************************
Const ADS_SCOPE_SUBTREE = 2
Const ADS_SECURE_AUTHENTICATION = 1
AdminUser = "Administrator" ' Be sure to change
AdminPswd = "admin" ' change these
InputFile = "e:\ee\Users.txt" ' 4 variables to
Domain = "fabrikam.com" ' match your environment
' if your domain name is more than 2 nodes, or you just want the code to be "dynamic",
' you can use "split" to create an array of nodes and adjust the logic below to loop
' thru the array to build the correct SELECT statement string.
'
part1 = Left(Domain,Instr(Domain,"
part2 = Mid(Domain,Instr(Domain,".
Set FSO = CreateObject("Scripting.Fi
Set oFile = FSO.OpenTextFile(InputFile
Set objConnection = CreateObject("ADODB.Connec
Set objCommand = CreateObject("ADODB.Comman
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnectio
objCommand.Properties("Pag
objCommand.Properties("Sea
Set openDS = GetObject("LDAP:")
Do Until oFile.AtEndOfLine
LineIn = oFile.ReadLine
Field = Split(LineIn, ",")
If Ubound(Field) > 0 Then
Field(0) = trim(Field(0))
Field(1) = trim(Field(1))
objCommand.CommandText = _
"SELECT distinguishedName FROM 'LDAP://dc=" & part1 & ",dc=" & part2 & "' " & _
"WHERE objectCategory = 'user' " & _
"AND SAMAccountName = '" & Field(0) & "'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Do Until objRecordSet.EOF
DN = objRecordSet.Fields("disti
''' Wscript.Echo "SAMacct= " & Field(0) & " DN= " & DN
'get the user acct info based on the distinguished name
'and set the new password to what was read from the input file.
Set usr = openDS.OpenDSObject("LDAP:
usr.SetPassword Field(1)
''' Wscript.Echo "Password set to: " & Field(1)
objRecordSet.MoveNext
Loop
End If
Loop
oFile.Close
Set usr = Nothing
Set objCommand.ActiveConnectio
Set objCommand = Nothing
Set objConnection = Nothing
Set openDS = Nothing
Set oFile = Nothing
Set FSO = Nothing
script from this site: http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/pwds/uspwvb01.mspx
--------------------------
Set objUser = GetObject _
("LDAP://cn=MyerKen,ou=man
objUser.SetPassword "i5A2sj*!"
--------------------------
hope that helps